Posted: Wed Jun 05, 2019 17:30 Post subject: My DNS is leaking w/ Unbound, VPN & PBR
I'm running DD-WRT r39884 on a Linksys WRT32X with a VPN (Private Internet Access) using Policy Based Routing. My PBR configuration has IP addresses 192.168.1.100 through 192.168.1.150 routing through the VPN and all others going straight out through the ISP.
Here's my problem - it appears that Unbound is going straight through to the ISP for DNS queries because DNSLeakTest.com is reporting that Comcast is providing DNS service. I wish to avoid that.
With the default Unbound configuration (via checking the GUI box on the setup page), what are the simplest ways to 1) put Unbound behind the VPN and 2) force Unbound to use DNS servers of my choosing?
no-resolv
interface=tun1
server=1.1.1.1 #CloudFlare DNS Server
into Dnsmasq Options and made sure that "Use DNSMasq For DNS" and "Query DNS in Strict Order" were both checked. (I tried this with and without the 'interface=tun1' command and rebooted after the 'save'.)
This did not help. My router is based on the Marvell chip set, so a Kong build really is not an option if I want the latest security updates and the current (fully functional) driver.
Any thoughts? I just want the DNS queries to go anywhere but to my ISP (Comcast). Is there any way to create a Policy for Unbound to use the VPN? Or am I smoking crack?
Disabling Unbound and leaving everything else as described sends all DNS traffic to CloudFlare (likely via my ISP), however Secure DNS & Encrypted SNI are only present in a properly configured browser - so this is still not good because anyone "listening on the wire" can otherwise see the DNS queries & website connections.
or you can try DNScrypt or Stubby with DNS over TLS
where stubby uses recursive DNS servers too, here is a bit of a talk about Stubby.. Stubby for DNS over TLS
i made it work via Entware on my lower grade router otherwise i use DNScrypt on my other devices if possible
there is also a VPN killswitch but this is not the case here...
if your DNScrypt option is missing from GUI and you still have the module for it, you can force it to run via start up script... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913